Russian-Speaking Turla Attackers Hijacking Satellite Internet Links

A group of Russian-speaking threat actors that have been active for more than 10 years have been hijacking satellite-based Internet links as a tactic to hide their whereabouts, Kaspersky Lab said Wednesday.

Known as the Turla cyber-espionage group (also known as Snake or Uroburos), the attackers are leveraging a technically easy method to hijack downstream bandwidth from various ISPs and packet-spoofing to obtain a much higher degree of anonymity than possibly any other conventional method such as renting a Virtual Private Server (VPS) or hacking a legitimate server, the Russian security firm said.

According to Stefan Tanase, Senior Security Researcher at Kaspersky Lab, the initial investment to conduct an attack using the method would cost less than $1,000, with ongoing maintenance costing less than $1,000 per year.

After using the “Epic backdoor” to perform victim profiling and indentify targets, Kaspersky explained that for high profile targets the attackers utilize an extensive satellite-based communication mechanism in the final stages of an attack to help them to hide their traces.

“In this case, outgoing requests from a user’s PC are communicated through conventional lines (a wired or GPRS connection) with all the incoming traffic coming from the satellite,” Kaspersky Lab explained. “This technology allows the user to get a relatively fast download speed; however, it has one big disadvantage: all the downstream traffic comes back to the PC unencrypted. Any rogue user with the right set of inexpensive equipment and software could simply intercept the traffic and get access to all the data that users of these links are downloading.”

The Turla group takes advantage of this weakness in a different way by using it to hide the location of its Command and Control servers using the following tactics:

• The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based Internet users who are online at that moment.

• They then choose an online IP address to be used to mask a C&C server, without the legitimate user’s knowledge.

• The machines infected by Turla are then instructed to exfiltrate data towards the chosen IPs of regular satellite-based Internet users. The data travels through conventional lines to the satellite Internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.

The users of systems connected to an IP address used by the attackers to receive data from an infected machine will also receive these packets of data but will probably not notice them, Kaspersky said. “This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, are closed by default. The PC of a legitimate user will simply drop these packets while the Turla C&C server, which keeps those ports open, will receive and process the exfiltrated data.”

The Turla attackers often use satellite Internet connection providers located in Middle Eastern and African countries. Kaspersky researchers have spotted the Turla group using IPs of providers located in Afghanistan, Congo, Lebanon, Lybia, Niger, Nigeria, Somalia and Zambia. Satellites that are used by operators in these countries usually do not cover European and North American territories, making it very hard for most of security researchers to investigate such attacks.

The attackers behind Turla have infected hundreds of computers in more than 45 countries, including Kazahkstan, Russia, China, Vietnam and the United States, Kaspersky said. Types of organizations that have been affected include government institutions and embassies, as well as military, education, research and pharmaceutical companies.

“In the past, we’ve seen at least three different actors using satellite-based Internet links to mask their operations. Of these, the solution developed by the Turla group is the most interesting and unusual. They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite Internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers,” Tanase said. “This makes it almost impossible to track down the attacker. As the use of such methods becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.”

“Considering how easy and cheap this method is, it is surprising that we have not seen more APT groups using it. Even though this method provides an unmatched level of anonym for logistical reasons it is more straightforward to rely on bullet-proof hosting, multiple proxy levels or hacked websites. In truth, the Turla group has been known to use all of these techniques, making it a very versatile, dynamic and flexible cyber-espionage operation,” Tanase noted in a blog post.

Tanase pointed out that C&Cs operated by Italian surveillance software maker HackingTeam were seen on satellite IPs before, along with C&Cs from the Xumuxu group and the Rocket Kitten APT group.

“If this method becomes widespread between APT groups or worse, cyber-criminal groups, this will pose a serious problem for the IT security and counter-intelligence communities,” he said.

Along with a more detailed look, Kaspersky posted Indicators of compromise (IOCs), including IP addresses, domains, and MD5s online.

In 2014, researchers detailed the connection between Turla and Agent.BTZ, the piece of malware that became notorious in 2008 after it was used in a cyberattack targeting the networks of the United States military. Some reports say that it took the Pentagon roughly 14 months to fully eradicate Agent.BTZ from military networks.

Kaspersky Lab experts say the Agent.btz worm has "served as an inspiration" for the creation of a range of sophisticated cyber weapons, including Red October, Turla and Flame/Gauss.

In late 2014, G Data published a report on a remote access Trojan, ComRAT, that appears to be a successor of Agent.BTZ.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.